Sherrill F. Norman, CPA Auditor General Report No. 2017-087 January 2017
AGENCY FOR STATE TECHNOLOGY
State Data Center Operations
I n f o r m a t i o n T e c h n o l o g y O p e r a t i o n a l A u d i t
Executive Director of the Agency for State Technology
Section 20.61, Florida Statutes, creates the Agency for State Technology. The head of the Agency is the Executive Director and the State’s Chief Information Officer who is appointed by the Governor, subject to confirmation by the Senate. Jason M. Allison served as Executive Director and Chief Information Officer during the period of our audit.
The team leader was Andrew Denny, CISA, and the audit was supervised
by Brenda Shiner, CISA. Please address inquiries regarding this report to Arthur Hart, CPA, Audit Manager, by e-mail at arthart@aud.state.fl.us or by telephone at (850) 412-2923. This report and other reports prepared by the Auditor General are available at: www.myflorida.com/audgen Printed copies of our reports may be requested by contacting us at:
State of Florida Auditor General Claude Pepper Building, Suite G74
∙
111 West Madison Street
∙
Tallahassee, FL 32399-1450
∙
850) 412-2722
Report No. 2017-087 January 2017 Page 1
AGENCY FOR STATE TECHNOLOGY
State Data Center Operations
SUMMARY
On July 1, 2014, the Agency for State Technology (AST) was established and the Northwood Shared Resource Center (NSRC) and the Southwood Shared Resource Center (SSRC) were transferred to the AST. This operational audit of the AST focused on evaluating selected information technology (IT) controls applicable to the State Data Center Operations. Our audit included a follow-up on related findings noted in our report Nos. 2013-182 for the NSRC and 2014-052 for the SSRC, as well as Finding No. 2014-021 noted for the NSRC in our report No. 2015-166. Our audit disclosed the following:
Finding 1:
Administrative access privileges granted for some AST users and service accounts to selected mainframe, open systems, Windows server environments, and network domains did not promote an appropriate separation of duties and did not restrict users and service accounts to only those functions appropriate and necessary for assigned job duties or functions.
Finding 2:
Some service accounts remained active when no longer needed and some service accounts inappropriately allowed interactive log-on increasing the risk that the confidentiality, integrity, and availability of AST data and IT resources may be compromised.
Finding 3:
The AST did not perform quarterly reviews of user access privileges for the mainframe, open systems environments, and the network domains.
Finding 4:
The inventory of IT resources at the State Data Center was not complete and, in some cases, was not accurate, increasing the risk that IT resources may not be appropriately monitored, tested, and evaluated to ensure the timely implementation of the latest security patches and other critical updates (e.g., service packs and hot fixes) from IT vendors.
Finding 5:
Configuration management controls related to patch management for mainframe, network devices, and open systems environments continue to need improvement to ensure operating systems are appropriately secured and up-to-date.
Finding 6:
Change management controls related to hardware and systems software changes continue to need improvement to ensure that only authorized, tested, and approved hardware and systems software changes are implemented into the production environment.
Finding 7:
Contrary to State law,
1
four customer entities did not have signed service-level agreements (SLAs) with the State Data Center, increasing the risk that the effective, efficient, and secure operation of IT systems may be compromised for those customer entities
.
Finding 8:
Backup controls continue to need improvement to ensure that all IT resources that require back up are identified, backups are performed as required, and backups are periodically tested for recoverability.
1
Section 282.201(2)(d), Florida Statutes.